WO2005013558A1 - Authentication method for medic gateway - Google Patents
Authentication method for medic gateway Download PDFInfo
- Publication number
- WO2005013558A1 WO2005013558A1 PCT/CN2003/001069 CN0301069W WO2005013558A1 WO 2005013558 A1 WO2005013558 A1 WO 2005013558A1 CN 0301069 W CN0301069 W CN 0301069W WO 2005013558 A1 WO2005013558 A1 WO 2005013558A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- media gateway
- shared key
- key
- gateway controller
- lifetime
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
- H04L65/1023—Media gateways
- H04L65/103—Media gateways in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
- H04L65/1033—Signalling gateways
- H04L65/104—Signalling gateways in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1101—Session protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
Definitions
- the present invention relates to the field of communications technologies, and in particular, to a method for implementing a media gateway authentication using a MEGAC0 / MGCP protocol. Background technique
- the Media Gateway Control (MEGAC0) protocol is the RFC3015 protocol of the Internet Engineering Task Force (IETF).
- FIG. 1 shows the system network diagram of the MEGAC0 protocol.
- the MEGAC0 protocol adopts the concept of a separate gateway, and divides the original signaling and media processing gateway into two parts: a media gateway (Media Gateway, MG for short) and a media gateway controller (Media Gateway Control, MGC).
- the MGC controls the actions of the MG through the MEGACO protocol:
- the MGC sends a ⁇ I command to the MG, the MG executes and returns the result, and the media gateway controller MGC must also handle the events reported by the media gateway MG actively. Please call the logic in the MEGACO protocol
- the relationship is shown through the connection model.
- the two most basic components in the connection model are the association and the termination point.
- the relationship between the termination point and the topology relationship is shown.
- the main commands between the Media Gateway Controller MGC and the Media Gateway MG include
- SERVICECHANGE register
- ADD add
- MODIFY modify
- SUBTRACT delete
- NOTIFY notification
- the media gateway MG is regularly posed with a constant key ⁇ :
- the same key is used for long-term authentication, which is easy for third parties to crack ;
- the method of periodic authentication the third party is easy to filter the authentication message to the real M (to enable successful authentication between the media gateway controller MGC and the media gateway MG, and forge other MG messages to initiate a call
- the gateway controller MGC authenticates the media gateway MG, so the media gateway MG may be called by an illegal media gateway controller MGC to forge messages.
- the purpose of the present invention is to provide a more complete authentication mechanism for media gateways, which solves the problem that the third party in the traditional MG authentication method is easy to forge the media gateway MG to initiate a call, and it is easy to forge the media gateway controller MGC to call the media gateway MG and the key
- the problem that may not be solved for a long time can be solved, each call can be authenticated, and the shared key can be changed regularly to effectively prevent illegal forged messages from calling it.
- the invention is implemented as follows:
- the invention discloses a method for authenticating a media gateway, which includes: setting an initial key for an initial digital signature of both parties, for the media gateway and the media gateway controller; the media gateway and the media gateway The controller performs signaling communication with the initial key to generate a new shared key with a specific lifetime; the media gateway and the media gateway controller use the new shared key to authenticate calls and responses If the lifetime of the new shared key ends, the media gateway and the media gateway controller update the shared key.
- the step of generating the shared key further includes: the media gateway initiates registration signaling to the media gateway controller for registration, and the registration signaling carries parameters for generating the shared key and the The digital signature generated by the initial key; after the media gateway controller verifies that the media gateway is legal with the initial key, generating a shared key and setting a lifetime of the shared key; the media gateway controller Initiating a modification command to the media gateway, where the modification command carries parameters for generating a shared key, a digital signature generated from the initial key, and a lifetime of the shared key; the media gateway uses the initial After the key verifies that the media gateway controller is legitimate, a shared key is generated and a lifetime of the shared key is set.
- the authentication step further includes: the media gateway controller digitally signs each call message to the media gateway with the shared key; and the media gateway uses the shared key to pair the call with each other.
- the digital signature in the message is used for verification. If it is valid, then Return to the media gateway controller a response message digitally signed with the shared key; the media gateway controller uses the shared key to verify the digital signature in the response message, and if it is valid, then Set up the call, otherwise, reject the call.
- the step of updating the shared key further includes: the media gateway sends a notification command to the media gateway controller, requesting the media gateway controller to generate a new shared key, and the notification command carries a
- the media gateway controller uses the initial key to verify that the media gateway is legal, and generates a new shared key and sets the share. Key lifetime; the media gateway controller initiates a modification command to the media gateway, wherein the modification command includes parameters for generating a shared key, a digital signature generated from the initial key, and a shared key
- the media gateway verifies that the media gateway controller is legal with the initial key, generates a shared key and sets a lifetime of the shared key.
- the algorithm used by the media gateway controller and the media gateway to generate a shared key is different from the algorithm used by the media gateway controller and the media gateway to generate a digital signature.
- the transmission of the parameters for generating the shared key and the digital signature can be implemented by extending the fields or packets of the protocol.
- the lifetime of the shared key may be time or the number of times a new shared key is available for authentication.
- the beneficial effect of adopting the technical solution of the present invention is that it can not only change the key regularly, but prevent easy authentication with the same key for a long time; it can authenticate each call of the media gateway MG, and solve the problem of filtering messages by a third party.
- the problem of initiating an illegal call it can also prevent the media gateway MG from completing the call under the control of an illegal media gateway controller MGC.
- Figure 1 shows the schematic diagram of the MEGAC0 protocol system
- FIG. 2 is a schematic flowchart of realizing a media gateway gateway right according to the present invention. detailed description
- the invention discloses a method for media gateway authentication, which includes the following steps:
- the algorithm for generating a shared key by the media gateway controller and the media gateway, and the algorithm for generating a digital signature by the media gateway controller and the media gateway may adopt an appropriate algorithm according to the needs of the security level.
- the present invention There is no limitation on the specific algorithm used.
- the media gateway MG and the media gateway controller MGC are initially provided with a key S for the initial digital signature of the two parties.
- the key S of the media gateway MG and the media gateway controller MGC may be different, as long as the other party's digital The signature is enough; the transmission of the key and parameters can be realized by extending the MEGAC0 field or the packet.
- the media gateway MG first initiates registration signaling registration with the media gateway controller MGC, and carries a ⁇ : and a digital signature for generating a shared key.
- the media gateway controller MGC generates a shared key after it is valid, and sends a modify command to the media gateway MG to generate the shared key parameters, digital signature, and set the shared key lifetime. After receiving the media gateway MG, it verifies that the digital signature is valid and generates Shared key.
- the media gateway controller MGC and the media gateway MG use the shared key to sign and verify each other's legitimacy before making the call. call.
- the media gateway controller MGC> ⁇ some keys are invalid; the media gateway MG needs to immediately request the media gateway controller MGC to use the notification command to generate a new shared key and obtain the survival of the new key. period.
- Figure 2 shows a detailed process of implementing authentication. Set the initial key between MG and MGC to S.
- the media gateway MG initiates a registration message to the media gateway controller MGC.
- the message carries the information M for the media gateway controller MGC to generate a shared key, and it also carries a common key S to the public key.
- the media gateway controller MGC After receiving the message, the media gateway controller MGC uses the key S to verify the digital signature, and if successful, it uses the shared key information M to generate the shared key S ', and responds to the media gateway MG with success;
- the media gateway controller MGC and the body gateway MG send a modification (MODIFY) message, which carries the information N for the media gateway MG to generate the shared key, and carries the information N for the shared key with the key S or the entire message generation Digital signature with new shared key lifetime:
- the lifetime can be a time, or the number of times the new shared key can be used for authentication;
- the media gateway MG After receiving the message, the media gateway MG uses the key S to verify the digital signature. If it succeeds, it uses the shared key information N to generate a shared key, and responds to the media gateway controller MGC.
- the media gateway controller MGC digitally signs with the new shared key S ';
- the media gateway MG After receiving the message, the media gateway MG uses the new shared key to verify the digital signature. If the media gateway controller MGCJ successfully proves to be legal, the response to the media gateway controller MGC is also digitally signed with the new shared key. After receiving the media gateway controller MGC, the call is established with the new shared key S 'and the call is established successfully. Otherwise, the call is rejected by the illegal media gateway MG, and the media gateway controller MGC periodically authenticates the media gateway MG. In the same way
- the media gateway MG reports a notification (N0ITFY) message to the media gateway controller MGC, and the message carries a message for the media gateway controller MGC to generate the shared key.
- Information with a digital signature generated by the key S to the shared key information NT or the entire message;
- the media gateway controller MGC digitally signs the key S after receiving the message, and if successful, generates the shared key S using the shared key information, and responds to the media gateway MG with success;
- the media gateway controller MGC body gateway MG sends a modification (MODIFY) message,
- the message carries the information N ′ used for the media gateway MG to generate the shared key, and carries the shared key information N ′ with the key S or the digital signature generated by the entire message, and also carries the new shared key lifetime.
- the media gateway MG uses the shared key information N 'to generate a new shared key and uses the new shared key to authenticate subsequent calls and periodic authentication;
- the media gateway MG successfully responds to the media gateway controller MGC.
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP03779653.9A EP1653661B1 (en) | 2003-08-05 | 2003-12-16 | Authentication method for medic gateway |
ES03779653.9T ES2515815T3 (en) | 2003-08-05 | 2003-12-16 | Authentication method for medical gateway |
AU2003289653A AU2003289653A1 (en) | 2003-08-05 | 2003-12-16 | Authentication method for medic gateway |
US10/566,206 US7492899B2 (en) | 2003-08-05 | 2003-12-16 | Authentication method for media gateway |
US11/566,206 US7389408B1 (en) | 2003-08-05 | 2006-12-01 | Microarchitecture for compact storage of embedded constants |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN03149767.5A CN1286306C (en) | 2003-08-05 | 2003-08-05 | Media gate link right discriminating method |
CN03149767.5 | 2003-08-05 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005013558A1 true WO2005013558A1 (en) | 2005-02-10 |
Family
ID=34109573
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2003/001069 WO2005013558A1 (en) | 2003-08-05 | 2003-12-16 | Authentication method for medic gateway |
Country Status (7)
Country | Link |
---|---|
US (1) | US7492899B2 (en) |
EP (1) | EP1653661B1 (en) |
CN (1) | CN1286306C (en) |
AU (1) | AU2003289653A1 (en) |
ES (1) | ES2515815T3 (en) |
PT (1) | PT1653661E (en) |
WO (1) | WO2005013558A1 (en) |
Families Citing this family (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1275419C (en) * | 2002-10-18 | 2006-09-13 | 华为技术有限公司 | Network safety authentication method |
CN100384251C (en) * | 2004-08-02 | 2008-04-23 | 华为技术有限公司 | User authorization method and its authorization system |
CN1992706A (en) * | 2005-12-26 | 2007-07-04 | 华为技术有限公司 | Method for adjusting statistical parameter value in media gateway |
ATE524006T1 (en) * | 2007-06-11 | 2011-09-15 | Fts Computertechnik Gmbh | METHOD AND ARCHITECTURE FOR SECURING REAL-TIME DATA |
EP2262214A1 (en) * | 2008-04-21 | 2010-12-15 | NEC Corporation | Ims system, as device and mgw device, and method of notifying regulation on congestion in ims system |
CN102812681B (en) | 2010-02-11 | 2015-04-15 | 华为技术有限公司 | Media stream transmission key operating method, apparatus and system |
CN102202389B (en) * | 2010-03-25 | 2016-03-30 | 中兴通讯股份有限公司 | A kind of method and system gateway being realized to management |
CN102215560B (en) * | 2010-04-08 | 2015-06-10 | 中兴通讯股份有限公司 | Method and system for managing M2M (machine to machine) terminal |
US8555332B2 (en) | 2010-08-20 | 2013-10-08 | At&T Intellectual Property I, L.P. | System for establishing communications with a mobile device server |
US8438285B2 (en) | 2010-09-15 | 2013-05-07 | At&T Intellectual Property I, L.P. | System for managing resources accessible to a mobile device server |
US8478905B2 (en) | 2010-10-01 | 2013-07-02 | At&T Intellectual Property I, Lp | System for synchronizing to a mobile device server |
US8989055B2 (en) | 2011-07-17 | 2015-03-24 | At&T Intellectual Property I, L.P. | Processing messages with a device server operating in a telephone |
US8443420B2 (en) | 2010-10-01 | 2013-05-14 | At&T Intellectual Property I, L.P. | System for communicating with a mobile device server |
US8610546B2 (en) | 2010-10-01 | 2013-12-17 | At&T Intellectual Property I, L.P. | System for selecting resources accessible to a mobile device server |
US8516039B2 (en) | 2010-10-01 | 2013-08-20 | At&T Intellectual Property I, L.P. | Apparatus and method for managing mobile device servers |
US8504449B2 (en) | 2010-10-01 | 2013-08-06 | At&T Intellectual Property I, L.P. | Apparatus and method for managing software applications of a mobile device server |
US9392316B2 (en) | 2010-10-28 | 2016-07-12 | At&T Intellectual Property I, L.P. | Messaging abstraction in a mobile device server |
US9066123B2 (en) | 2010-11-30 | 2015-06-23 | At&T Intellectual Property I, L.P. | System for monetizing resources accessible to a mobile device server |
CN103685353A (en) * | 2012-09-05 | 2014-03-26 | 中兴通讯股份有限公司 | Method and device for managing terminal through gateway |
US9462332B2 (en) | 2012-12-05 | 2016-10-04 | At&T Intellectual Property I, L.P. | Method and apparatus for controlling a media device |
CN103560875B (en) * | 2013-08-27 | 2016-08-17 | 兴唐通信科技有限公司 | Designated lane cryptographic key negotiation method based on H.248 agreement and device |
JP2015186249A (en) * | 2014-03-26 | 2015-10-22 | 沖電気工業株式会社 | Communication system, session controller, and transfer controller |
US11223473B2 (en) * | 2019-02-01 | 2022-01-11 | EMC IP Holding Company LLC | Client-driven shared secret updates for client authentication |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1308472A (en) * | 2000-02-09 | 2001-08-15 | 朗迅科技公司 | Cipher key refreshing method and device by using refreshing cipher key |
WO2002054201A2 (en) * | 2000-12-29 | 2002-07-11 | Intel Corporation | System and method for providing authentication and verification services in an enhanced media gateway |
CN1411224A (en) * | 2001-09-29 | 2003-04-16 | 华为技术有限公司 | Safe identification method of PC customer's terminal |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7089211B1 (en) * | 2000-01-12 | 2006-08-08 | Cisco Technology, Inc. | Directory enabled secure multicast group communications |
CA2417922C (en) * | 2000-08-04 | 2013-03-12 | Lynn Henry Wheeler | Person-centric account-based digital signature system |
EP1318683A1 (en) * | 2001-12-10 | 2003-06-11 | Siemens Aktiengesellschaft | Method to transmit signalling messages and associated device, signalling message and program |
US20060274899A1 (en) * | 2005-06-03 | 2006-12-07 | Innomedia Pte Ltd. | System and method for secure messaging with network address translation firewall traversal |
-
2003
- 2003-08-05 CN CN03149767.5A patent/CN1286306C/en not_active Expired - Lifetime
- 2003-12-16 WO PCT/CN2003/001069 patent/WO2005013558A1/en active Application Filing
- 2003-12-16 US US10/566,206 patent/US7492899B2/en not_active Expired - Lifetime
- 2003-12-16 EP EP03779653.9A patent/EP1653661B1/en not_active Expired - Lifetime
- 2003-12-16 AU AU2003289653A patent/AU2003289653A1/en not_active Abandoned
- 2003-12-16 PT PT37796539T patent/PT1653661E/en unknown
- 2003-12-16 ES ES03779653.9T patent/ES2515815T3/en not_active Expired - Lifetime
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1308472A (en) * | 2000-02-09 | 2001-08-15 | 朗迅科技公司 | Cipher key refreshing method and device by using refreshing cipher key |
WO2002054201A2 (en) * | 2000-12-29 | 2002-07-11 | Intel Corporation | System and method for providing authentication and verification services in an enhanced media gateway |
CN1411224A (en) * | 2001-09-29 | 2003-04-16 | 华为技术有限公司 | Safe identification method of PC customer's terminal |
Non-Patent Citations (1)
Title |
---|
See also references of EP1653661A4 * |
Also Published As
Publication number | Publication date |
---|---|
EP1653661A4 (en) | 2012-01-04 |
US7492899B2 (en) | 2009-02-17 |
EP1653661B1 (en) | 2014-07-30 |
US20060236101A1 (en) | 2006-10-19 |
PT1653661E (en) | 2014-10-22 |
EP1653661A1 (en) | 2006-05-03 |
CN1581858A (en) | 2005-02-16 |
ES2515815T3 (en) | 2014-10-30 |
CN1286306C (en) | 2006-11-22 |
AU2003289653A1 (en) | 2005-02-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2005013558A1 (en) | Authentication method for medic gateway | |
JP5651313B2 (en) | SIP signaling that does not require continuous re-authentication | |
US7813509B2 (en) | Key distribution method | |
CN111262692B (en) | Key distribution system and method based on block chain | |
US6892308B1 (en) | Internet protocol telephony security architecture | |
WO2006000144A1 (en) | The session initial protocol identification method | |
US20030014668A1 (en) | Mechanism to allow authentication of terminated SIP calls | |
WO2007009343A1 (en) | Access authorization system of communication network and method thereof | |
US8923279B2 (en) | Prevention of voice over IP spam | |
JP2007006154A (en) | Communication system and session establishing method | |
TWI456962B (en) | Authentication system and method | |
WO2007076720A1 (en) | A control method and decive of media resource | |
CN110572819B (en) | Block chain-based multi-domain wireless Mesh network cross-domain authentication method and system | |
WO2021031741A1 (en) | Voip processing method, device, and terminal | |
US7591013B2 (en) | System and method for client initiated authentication in a session initiation protocol environment | |
JP4778282B2 (en) | Communication connection method, system, and program | |
EP2809042A1 (en) | Method for authenticate a user associated to a user agent implemented over SIP protocol | |
WO2012003689A9 (en) | Distributed dynamic key management methods and apparatuses | |
DE60300912D1 (en) | Procedure for managing the security of Border Gateway Protocol messages | |
CN1881870A (en) | Method for safety communication between devices | |
JP2004509567A (en) | Internet Protocol Telephony Security Architecture | |
WO2010115322A1 (en) | Method and system for joining group session with pre-defined joining | |
CA2461418C (en) | Method and device for implementing a firewall application for communication data | |
CN103200200A (en) | Illegal dialing prevention method of SIP terminal and SIP server | |
JP2006229699A (en) | System for providing session control service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2003779653 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2003779653 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006236101 Country of ref document: US Ref document number: 10566206 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 10566206 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: JP |